Open redirect in GitLab Enterprise Edition - CVE-2024-4612
Published: September 12, 2024
Vulnerability identifier: #VU97210
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-4612
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: GitLab, Inc
Affected software:
GitLab Enterprise Edition
GitLab Enterprise Edition
Detailed vulnerability description
The vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data in release permanent links. A remote user can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow for an account takeover by breaking the OAuth flow.
How to mitigate CVE-2024-4612
Install updates from vendor's website.